Data Processing Addendum (DPA)

1. Roles

Customer acts as Data Controller; Semantic Pilot acts as Data Processor for personal data submitted through platform features.

2. Scope & Purpose

Processing is limited to providing SaaS functionality: research generation, content creation, analytics, account administration, and security monitoring.

3. Data Categories

• Identification: email, display name (optional).
• Operational: usage metrics, research inputs, generated outputs.
• Technical: IP (transient logs), timestamps, diagnostic metadata.

4. Subprocessors

We engage vetted providers (hosting, AI APIs, search APIs). Current list available on request. Customer may subscribe for change notifications.

5. Security Measures

• Access control & least privilege.
• Encryption in transit (TLS) & at rest (provider defaults).
• Monitoring & anomaly detection.
• Segregated environments and API key management.

6. Data Subject Rights

We assist Controller with responses to access, correction, deletion, and portability requests as reasonably possible within platform architecture.

7. International Transfers

Data may be processed in regions where subprocessors operate. Standard contractual safeguards (where required) will be implemented for cross-border transfers.

8. Incident Notification

We will notify Controller without undue delay after becoming aware of a confirmed personal data breach affecting their data.

9. Retention & Deletion

Upon termination or written request, we will delete or return personal data unless retention is mandated for compliance or security audit trails.

10. Audits

Controller may request summaries of security practices. Formal audits may require prior notice and reasonable scoping to avoid platform disruption.

11. Contact

DPA inquiries: contact us.